Spam Filter ISP Support - Scanning Headers

Print Page | Close Window

Scanning Headers

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5213
Printed Date: 01 July 2025 at 3:56pm

Topic: Scanning Headers

Posted By: Desperado
Subject: Scanning Headers
Date Posted: 06 June 2005 at 12:54pm

All,

Trying to detect:

Received: from [153.160.239.84] (port=3379 helo=[Jan])

In the headers with no success. I have a working RegEx but it still doesn't see it. I have the setting ScanReceivedHeaders=1 in my INI file. I have a keyword of:

((?i)received: from \[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Thoughts?

Regards,

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Replies:

Posted By: Desperado
Date Posted: 12 June 2005 at 4:55pm

OK then ... I will answer myself.

The following *DOES* work
((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Leaving the "received: from" part out.

Regards,

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: kspare
Date Posted: 13 June 2005 at 2:47am

What is the advantage of that regex?

Posted By: Desperado
Date Posted: 13 June 2005 at 7:20am

Kevin,

I am finding a stupid amount of spam with something like:
Received: from [43.53.50.36] (port=3173 helo=[Armand])

in the headers. I have a zero false positive so far by killing messages with this type of header and an catching a lot.

Regards,

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: kspare
Date Posted: 13 June 2005 at 9:38am

Interesting, I'm always curious to try out your stuff, so I just need that regex as it sits?

Posted By: Desperado
Date Posted: 13 June 2005 at 9:50am

Kevin,

((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Should work.

EXAMPLE:

	2	http://spamman.mags.net/virtadmin/VirtResolveSpam.asp?QuarID=42491523&MsgID=29597970 - Text OR http://spamman.mags.net/virtadmin/VirtResolveSpamAsHTML.asp?QuarID=42491523&MsgID=29597970 - HTML mailto:joe@domain.net - joe@domain.net	Heriberto@wsm.com	i have seen some sh*t, but this.	6/13/2005 9:50:18 AM	Keywords found in content	Found Keywords: [((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)]	SID=5 mx01
	3	http://spamman.mags.net/virtadmin/VirtResolveSpam.asp?QuarID=42491522&MsgID=29597969 - Text OR http://spamman.mags.net/virtadmin/VirtResolveSpamAsHTML.asp?QuarID=42491522&MsgID=29597969 - HTML mailto:joe@domain.net - joe@domain.net	Heriberto@wsm.com	i have seen some sh*t, but this.	6/13/2005 9:50:16 AM	Keywords found in content	Found Keywords: [((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)]	SID=5 mx0

Regards,

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: kspare
Date Posted: 13 June 2005 at 9:57am

Does it require subject: before it or just throw it in the keywords black list?

Posted By: Desperado
Date Posted: 13 June 2005 at 10:08am

Throw it in EXACTLY as is but make sure your ini setting for headder scanning in turned on.

ScanReceivedHeaders=1

This is a "Recieved" line in the header.

Regards,

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Print Page | Close Window